How to securely run curl with No password exposure on cmd lines for CTM API login

Version 1
    Share This:

    Hi ALL

     

    Most of times when running CTM API for /session/login with curl at command lines or as part of shell scripting we are always exposing usernames and passwords.

     

    Services - Documentation for Control-M Automation API 9.0.19 - BMC Documentation

     

    This relevant security issue is related with the way we approach the curl options usage for execution on scripts and command lines.

     

    The solution is very simple:

    A ) curl can run with a config file, and this way it will not be necessary to have a huge command line

    B ) CTM API username and password can be edited to a text file ctmapi_credentials_file.json

    C ) the @ctmapi_credentials_file.json can now be set up as the POST data "-d"  curl option.

     

    Once executing curl with -K curl_config_file.txt credentials are now hidden from scripts and cmd lines execution and not anymore exposed as can be seen on the screen sample below.

     

     

    Please find below the detailed solution:

     

    Create File: ctmapi_credentials_file.json

    {"username":"API_USER","password":"API_PWD"}

     

    Create File: curl_config_file.txt

    -k

    -H "Content-Type: application/json"

    -X POST

    -d @ctmapi_credentials_file.json

    --url = "https://<add you ctm api host here>:8443/automation-api/session/login"

    --anyauth

     

    Execute Command line:

    curl -K curl_config_file.txt

     

    Command line result:

    ,"token":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx","version":"9.0.4"}

     

     

    Sample script for CTMAPI curl with no password exposure on CMD Line:

    With the sample script below script, the curl_config_file.txt is created as part of the script execution:

    ------------------------

    #!/bin/ksh

    ctmapi_endpoint=https:/<add you ctm api host here>:8443/automation-api

    curl_config_file=curl_config_file.txt

    ctmapi_credentials=@ctmapi_credentials_file.json

     

    #Create  curl_config_file

    echo "-k" > $curl_config_file

    echo "-H \"Content-Type:  application/json\"">> $curl_config_file

    echo "-X POST"  >> $curl_config_file

    echo "-d @ctmapi_credentials_file.json" >> $curl_config_file

    echo "--url = \"$ctmapi_endpoint/session/login\"" >> $curl_config_file

    echo "--anyauth" >> $curl_config_file

     

    # Get Login token

    login_token=$(curl -K $curl_config_file "$ctmapi_endpoint/session/login" )

    token=`echo "$login_token" | awk -F"\"token\":\"" '{print $2}'| cut -d '"' -f 1 `

    echo "$token"

     

    ------------------------

     

    I Hope you like it and be helpful for reuse.

     

    My Best Regards

     

    Adriano Gomes